InfoSec Insider

Unsanctioned Apps Invite Fox into Cybersecurity Hen House

In this InfoSec Insider, Tim Bandos looks at why network admins will want to keep a close watch on network traffic within the enterprise.

Conventional wisdom has shown there’s a short line between a company’s highest point of risk – its employees and a compromise.

Unsanctioned, or shadow applications, are apps that haven’t been cleared by a company’s information security team. These apps, on employee machines, have long been a popular attack vector for saboteurs and employees looking to leak data.

While risky insiders have increasingly taken to using legitimate, hard to detect tools already installed on the endpoint – such as PowerShell, WMI, Cmd.exe to hijack machines with malware – there’s no shortage of seemingly benign apps that can evade detection, exfiltrate data and jeopardize an organization.

Instant Messaging Apps

Instant-messaging apps are installed on practically every employee’s machine. The majority have been vetted and approved for the workplace. In most environments clients include Skype or a collaborative co-working tool such as Slack. But, it’s the unknown, unsanctioned chat apps that can expose companies to danger.

Applications like Pidgin, an open source instant messaging client used on millions of systems worldwide, can be used for more than just communicating with co-workers. In some environments the free chat client can be leveraged as a command and control tool for controlling backdoors and running arbitrary commands on infected endpoints.

While instant messaging can be a valuable communication tool, the use of unauthorized apps can expose organizations to potentially damaging data risks.

Malicious Browser Extensions

Browser extensions, which can deliver malicious URLs, in turn weaponizing the browser, have been historically difficult to secure. It’s rare a week goes by without hearing that Google has removed scores of malicious browser extensions from its Chrome Webstore.

While the vector has always been a hotbed for attackers, as of late many extensions have been laden with malware used for click-fraud campaigns and cryptocurrency mining. With the amount of traffic that can be generated, cryptocurrency mining can have a devastating effect on an organization’s endpoint and network.

The authors behind in-browser cryptojacking extensions have been quick to fight back against detection. Many run their processes through proxy servers to obscure the loading of cryptojacking service names. Others run their processes through custom mining pools, something which enables them to separate the mining from the cryptojacking, but still deceive users.

Pirated Apps

Pirated apps, apps sold outside of official web stores, have been surfacing more frequently on stores, including Microsoft’s. These apps, when laced with malware, spyware, or worse, can open networks up to attackers. While these apps may mimic legitimate ones, in many instances they’re simply a shell of the app itself, injected instead with malware

The Problem with Unsanctioned Apps

There are a series of inherent difficulties with these shadow apps. Some of the biggest problems isn’t merely the presence of the apps in the first place, it’s the fact they can’t be patched like regular apps can be.

Ordinarily enterprises have a strictly regimented patching process in place tied to regular third-party patch cycles such as Microsoft Patch Tuesday or Oracle’s Critical Patch Update. Having unexpected vulnerable applications running alongside standard software could allow an attacker to leverage exploits and gain unauthorized access to the device or network.

There’s also the off chance a rogue app could cause instability issues on an organization’s endpoint. In some virtual machine scenarios, it’s unlikely that adequate testing has been conducted on the app and whatever suite of applications it may be installed alongside it on the golden image.

In other situations, these apps could be rigged to leverage network functionality to third party sites that an organization may not even be familiar with, let alone monitor properly.

A perfect example could be an attacker using an FTP application his or her organization may not monitor. Once an attacker has access to the data, it’s possible he or she could exfiltrate it via the protocol without their organization being none the wiser.

Covert egress activity can always open the door to potential data theft.

Once an organization establishes which applications in an ecosystem can be allowed, caution needs to be taken ensuring additional apps that integrate with that app – apps the IT department may not be aware of – don’t proliferate. Countless third-party apps interact with cloud storage apps such as Dropbox and Box, but if these avenues aren’t identified, they could ultimately pose a threat to businesses.

(Tim Bandos is senior director of cybersecurity at Digital Guardian)

Suggested articles